WE are looking to get payment card tokens on every order. I believe we only get the payment tokens on registered users but need them for all orders. Is it possible to set up CyberSource to provide the transaction id and customer and payment tokens on all orders.
Did the normal setup for CyberSource and verified in the order data that tokens only appear for registered users.
Related
We think we have a challenge with Xero tokens possibly due to how store and retreive the access and refresh token.
We have an application that seems to disconnect some tenants/Xero Organizations from time to time. We are currently storing a single token (and using refresh and access tokens) without issue, but it feels like when a different user then authorizes a new tenant within our partner organziation, some of the previously authorized tenants stop working.
Do we need to maintain a new set of tokens per user who authorized the request? E.g. User A has a set of Access+Refresh Tokens and User B has a set of Access + Refresh tokens? If so, how do we keep track of what user has authorized which organization last? E.g. if User A authorized Org1 and User B authorized Org2, but then User A also authorized Org2, when our app (per schedule) needs to access Org2 do we just have to enumerate all the tokens and call GetOrganizations() to determine which ones they have?
Again, we have been operating on the idea that a single Access + Refresh token is all we should work with despite working with 100's of tenants/Organizations.
Any great advice on the proper way to store and re-use tokens for Xero would be really appreciated.
We used to store tokens separately, but the combined into single token as it seemed correct, but we still seem to have a few issues, not sure if we need to store a token per user (e.g. decrypt the Access Token, the get User ID, and store 1 pair per unique user id (access+refresh). Is this the proper way so that we don't have disconnect all the time?
Access tokens are issued per user per app. So user A would have one token pair for all the Xero organisations that they have authorised with your app and user B would have another pair for the organisations that they have authorised.
Storing 1 pair per user id would be a good idea.
I am working for a client who has a legacy Server integration and make use of the Token system. The SagePay API shows they have 1583 saved Tokens however they only have 421 saved in their database - a huge discrepancy which I have been asked to investigate.
I think this is what has been happening:
Customer decides to click the "Save your card details" checkbox on their website
The POST is sent to SagePay containing "CreateToken=1&StoreToken=1"
Customer gets redirected to SagePay and decides to pay by PayPal instead
A Token gets created and the company gets charged for it even though it can't ever be used
The Dev before me only saved the Token from the notification page only if the payment type used was Credit Card which makes sense. What nobody realised until now was that SagePay would create and save Tokens even if the customer paid with PayPal [?] Surely this shouldn't be the case!
That means we have 1162 Tokens that we have simply lost control of. It is quite expensive to store so many Tokens and I have been asked to see if I can reduce the number. It is fairly easy to remove Tokens through the SagePay API, that is if you have the original Token! In this case, we don't have all of them.
I have contacted SagePay support but they just referred me to the API which doesn't solve the issue.
Will the Tokens we've lost control of simply naturally expire and delete?
Is there anything we can do to reduce the number of Tokens?
Thanks
There are two ways to create tokens:
As part of a PAYMENT, ask SagePay to additionally tokenize the card details (so you can reuse them without needing to store the card details)
Outwith a payment, you can send arbitrary card details and ask SagePay to store them in a TOKEN request.
If you are creating a token in a standalone TOKEN request, and then thereafter submitting a PAYMENT using the previously tokenized details, the solution I would recommend is creating a token as part of a PAYMENT (i.e one API request rather than two).
If you are already creating the token as part of the PAYMENT, the only solution I could recommend is keeping track of tokens stored in your data store, and if they haven't been used for any payments, have a scheduled job to remove these tokens (using the REMOVETOKEN request).
There seems to be a bug on submitting createToken=1 via Server, when the consumer selects Paypal - if you use the Reporting API to query such a useless token, the expiry returned is XXXX - which means it will never expire, so your client will be paying for it forever!
I'd contact Sage support if I were you and request a complete list of tokens that they hold, then use the API to query getTokenDetails on each, then discard those which are not usable / no longer active (via the REMOVETOKEN API call).
I have an application that currently integrates into my merchant account using my access token. Early discussion with neighborhood merchants indicates some positive interest. I want to integrate OAuth support so that I can try to get traction with those merchants.
Though https://docs.connect.squareup.com/api/connect/v1/#navsection-oauth has information, I seek some additional clarification.
(i) Access using https redirect-url is denied at Square Connect Authorize has an answer "By default the OAuth flow is disabled for applications which is why you are seeing the "Authorization not allowed" failure. If you wish to enable OAuth flow for your application then you need to contact Square." #SquareConnectSupport: I have sent an email to Developer#Square, please let me know what else do I do.
(ii) Here is how I think it will work - the OAuth integration (Please confirm)
User types in browser say "mysnow.com/square"
The Handler at "mysnow.com/square" allows user to type in an ID this ID is local to mysnow
Then the Handler at "mysnow.com/square" directs the merchant to https://connect.squareup.com/oauth2/authorize along with my application id, permissions and redirect url.
The handler then receives a notification code with AuthZ Code at the redirect URL previously provided.
Next the handler obtains the Access token (using the AuthZ code)
Finally, the handler then saves the ID, the AuthZ code , the relevant Access Token and the date/time stamp (when the token was obtained) as a tuple in a safe data store.
(iii) Using the Access Token
When there is need to access merchant data of given ID, then use the ID to get the Access Token. Use this Access Token to manage the permitted data (based on permission)
Renew the access token periodically.
(iv) For testing purposes, I create few test/dummy merchants? Or do you have dummy merchant accounts that I can use for testing.
You can authorize up to ten merchants through the OAuth flow without approval from Square, which should be enough to get your integration running and tested. If you would like to make it more broadly available, you will need to contact Square about getting the app in the Square App Marketplace.
That looks essentially correct. The best practice for OAuth is something like this:
Merchant visits your landing page (e.g. mysnow.com/square) and clicks an action to start using your square integration.
Merchant's browser is redirected to the OAuth page (https://squareup.com/oauth2/authorize?client_id=YOUR_CLIENT_ID&scope=LIST_OF_OAUTH_SCOPES_YOU_NEED)
Merchant authorizes your application to access their data and is redirected back to your site. In the URL is an authorization code
Your backend makes an API call to Square to exchange the authorization code for an access token. It then uses that access token to look up information about the merchant and pre-populate fields of your signup form (e.g. you can get name, email, etc)
With a partially populated signup form on your site, merchant is prompted to complete their registration with your service.
There isn't really a way to create "dummy" merchants, but you can sign up for multiple merchant accounts with the same identity information, as long as you use a different email for each one. If you have GMail, you can do "you+someword#gmail.com" and the mail will be redirected to "you#gmail.com", so you don't need to create a bunch of email accounts to have unique email addresses.
From this document: https://github.com/paypal/PayPal-iOS-SDK/blob/master/docs/future_payments_server.md#create-a-payment
It says:
Once a user has authorized your app to use their PayPal account, you can then use that authorization to obtain tokens that let you create future payments from that user.
Thats fine, however I see no mention of using the aforementioned token in a PayPal payment call using the native sdk?
Do we really need to do this via network requests (i.e. cUrl?)
Some clarification on this point would be great. As it seems a little weird that the PayPal payment api cannot accept a token from a future payment authorization in it's call.
An answer to this would be great. Thank you.
Dave from PayPal here.
#PersuitOfPerfection, usually it would be your server that would be handling the tasks of securely storing the refresh token and then -- when a payment is to occur -- using the refresh token to generate an access token and using the access token to create a payment.
After all, it will be your server that controls whatever action the payment is for -- providing a service or shipping physical goods.
Are you planning some different model of client/server/delivery interaction?
So everytime a customer enters the credit card information on my site, their credit card information gets stored (partially) in the database along with the corresponding gateway payment token for Authorize.net. How long is this token good for before it expires in the production site? I'm assuming that these tokens in development or staging accounts will never expire? Thanks!
Are you referring to the "customer_profile_id" that gets returned from Authorize.net? If so, this token does not expire. Be aware, that the credit card associated with the profile can expire/get cancelled/etc though, which would result in errors when you attempt to do a future purchase with that token.